Cisco PBR

• Base routing decision on rules, rather than routing protocol and learned routed.
• RISK: Hard to maintain, Can black hole traffic if network topology changes, as policy is fixed.
• Debug:
  • debug ip policy
• Example, applied to eth0, matches traffic entering, and forces it to eth1 if acl matches.
  • Note: The log keyword in access-list command is not supported by PBR.

interface Ethernet0
 ip address 172.16.1.1 255.255.255.0
 no ip directed-broadcast
 ip policy route-map net-10
!
access-list 111 permit ip 10.0.0.0 0.255.255.255 any
!
route-map net-10 permit 10
 match ip address 111
 set interface Ethernet1    !!<<Only works if arp can resolve.>>!!
 !!or!!set ip next-hop 172.2.1.1  !!<<Better forwards to next hop router.>>!!
!
route-map net-10 permit 20
!

• Note:
  • Policy Based Routing for encrypted traffic
    • Forward the decrypted traffic to a loopback interface in order to route the encrypted traffic based on policy routing and then do PBR on that interface. If the enrypted traffic is passed over a VPN tunnel then disable ip cef on the interface, and terminate the vpn tunnel.

  • Enables fast switching of PBR.

    • Router(config-if)# ip route-cache policy

    • Beginning in IOS 12.0, PBR is supported in CEF switching path. CEF-switched PBR has better performance than fast-switched PBR and, therefore, is the optimal way to perform PBR on a router.

No special configuration is required to enable CEF-switched PBR. It is on by default as soon as you enable CEF and PBR on the router.

• Enabling Local PBR
  • Packets that are generated by the router are not normally policy-routed. To enable local PBR for such packets, indicate which route map the router should use by using the following command in global configuration mode:
  • Router(config)# ip local policy route-map map-tag

...

CategoryCisco